Trust Center
How Apex protects your data
Live posture. If a certification here says “in progress,” that's because it's in progress — we don't pre-claim compliance. Security contacts are one email away.
Certifications & frameworks
SOC 2 Type II
In progressReadiness audit kicked off Sprint 4 with Vanta. Target Type II report by Q2 2027.
ISO 27001
PlannedPost-launch Q3 2027. Prerequisite for EU enterprise deals.
GDPR
CertifiedDPA available on request; sub-processor list below; right-to-erasure + right-to-portability implemented.
POPIA (South Africa)
CertifiedCompliant with Protection of Personal Information Act — our primary launch jurisdiction.
CCPA
In progressOpt-out + data-subject-request flows implemented; full registration pending.
EU AI Act Article 50
In progressAI-generated content disclosure + machine-readable marking ships Q2 2027.
Data residency
Pick the region where your tenant lives at workspace creation. Data stays in-region — no cross-border replication.
European Union (Frankfurt)
PlannedPrimary data center in Frankfurt; backups in Ireland.
Expected: 6/1/2027
United States (us-east-1)
AvailablePrimary data center in Virginia; backups in Oregon.
South Africa (Johannesburg)
AvailablePrimary data center in Johannesburg. Our default for African-market customers — POPIA-aligned.
Asia-Pacific (Singapore)
PlannedSingapore; covers APAC enterprise customers.
Expected: 9/1/2027
Sub-processors
Vendors that process your data on Apex's behalf. Adding a new vendor updates this list before go-live — you can subscribe to changes via our events API.
| Vendor | Purpose | Data | Country | Policy |
|---|---|---|---|---|
| Supabase | Primary Postgres database + auth provider | All account, brand, audit, monitoring, and billing-state data | US | Privacy → |
| Anthropic | LLM inference (Claude) | Brand metadata, content samples, generated drafts | US | Privacy → |
| OpenAI | LLM inference (GPT-4/5) | Brand metadata, content samples, generated drafts | US | Privacy → |
| LLM inference (Gemini, NotebookLM), Search Console, Analytics | Brand queries, site analytics, search performance | US | Privacy → | |
| Perplexity AI | LLM inference (Perplexity) | Brand monitoring prompts | US | Privacy → |
| xAI | LLM inference (Grok) | Brand monitoring prompts | US | Privacy → |
| DeepSeek | LLM inference (DeepSeek) | Brand monitoring prompts | CN | Privacy → |
| Mistral AI | LLM inference (Mistral) | Brand monitoring prompts | FR | Privacy → |
| Cohere | LLM inference (Cohere) | Brand monitoring prompts | US | Privacy → |
| Together AI | Hosted-LLM inference (Janus, Llama, and other open-weights models) | Brand monitoring prompts | US | Privacy → |
| Moonshot AI | LLM inference (Kimi) | Brand monitoring prompts | CN | Privacy → |
| Alibaba Cloud | LLM inference (Qwen via DashScope) | Brand monitoring prompts | CN | Privacy → |
| Yandex Cloud | LLM inference (YandexGPT) | Brand monitoring prompts | RU | Privacy → |
| Microsoft | LLM inference (Copilot, Bing Copilot via Bing Search API) | Brand monitoring prompts | US | Privacy → |
| Pinecone | Vector embeddings store for semantic search and content retrieval | Embeddings of customer content and brand metadata | US | Privacy → |
| Cloudflare | CDN, DDoS protection, R2 backup storage | All traffic; encrypted backups | US | Privacy → |
| Upstash | Redis cache + queue | Ephemeral job payloads, rate-limit counters | US | Privacy → |
| Bugsink (self-hosted) | Error tracking — Sentry-protocol-compatible, self-hosted at errors.isaflow.co.za | Application errors, redacted stack traces. Data never leaves infrastructure we control. | ZA | Privacy → |
| Stripe | Billing + payment processing (global customers, USD) | Billing emails, payment tokens (card data never touches our servers) | US | Privacy → |
| Paystack | Billing + payment processing (South African customers, ZAR) | Billing emails, payment tokens (card data never touches our servers) | ZA | Privacy → |
| DataForSEO | AI keyword volume data for Prompt Radar | Keywords only; no brand-identifying data | US | Privacy → |
Uptime & incidents
12-month uptime
Insufficient data
Launching — data collection in progress
Postmortems published
0
Every Sev-1 incident gets a public writeup within 5 business days
Status page
Live